JP2010531516A - Device provisioning and domain join emulation over insecure networks - Google Patents

Abstract

A proxy service that allows domain join operations for clients over an insecure network. The enrollment operation is accomplished with minimal security exposure by using machine identification information rather than user credentials. The proxy only uses the permissions associated with adding a new machine account to the corporate directory without adding a user account or taking ownership of an existing account. With a proxy, authentication based on actual machine account credentials rather than conventional techniques like delegation makes it possible to obtain a signed certificate. Furthermore, the registration process does not require or rely on a public trust, but employs the original trust relationship between the device and the proxy.
[Selection] Figure 1

Description

  The present invention relates to a proxy service that enables a domain join operation for a client via a network.

  Legal computers are typically identified through a community mechanism that is referred to by a similar name in a “domain” or non-Microsoft network (eg, Novell Directory, Yellow Pages, etc.) (eg, in the Microsoft network). It is managed. Domain membership is considered essential in many corporate deployments to identify specific machines and to centrally manage machine content (eg, policies, software, and configurations).

  For example, for a portable computer such as a laptop, becoming a domain member usually requires authorization through authentication credentials such as a username and password. After some processing, the computer is joined to the domain. Credentials authenticating a user attempting to join a machine to the domain can be provided, for example, manually or via a smart card.

  For example, mobile devices present difficulties in this area in that mobile phones do not have the technical equipment to perform domain join operations. If mobile phones have rarely been used in corporate networks until now, it takes a lot of time for a supplier to provide a solution for such a device. Thus, smart card resolution is cumbersome and user credentials such as username / password can be compromised if authentication is not end-to-end.

  Domain controllers are considered a key point of security in corporate networks and are expected to be well protected behind firewalls and other isolated devices. In particular, since mobile devices are often remote (or outside the corporate intranet) and do not have direct access to the corporate domain controller, many such devices are intended to successfully join the corporate domain. The required software components are missing. The difficulties are multi-faceted, filling the software gap from the mobile phone to the network, and securely performing subscription operations from outside the corporate network via an insecure (wireless or OTA) wireless public interface. ,including.

  An object of the present invention is to provide a domain subscription function using the original trust relationship between the client device and the proxy.

  The following presents a simplified summary in order to provide a basic understanding of the new embodiments described herein. This summary is not an extensive overview and is not intended to identify key / critical elements nor to depict the scope in a diagram. Its sole purpose is to present some concepts in a simplified form as a prelude to the more detailed description that is presented later.

  The disclosed architecture includes a registration proxy that facilitates domain subscription operations for mobile clients. To join a client to the private domain, a proxy that operates software on behalf of the mobile client and fills the connection gap is accessible from the public domain (eg, the Internet) over the air (OTA). One novelty is that services published on the Internet do not have innate rights and the compromise presents greatly reduced risk to the private domain. This architecture introduces a proxy as an intermediary service to facilitate subscription operations, and once the operation is complete, the proxy no longer needs to maintain a connection between the client and the private domain.

  In a first implementation, domain subscription by proxy is achieved using only the username and password provided to the proxy by the user of the mobile device. The proxy on behalf of the mobile client establishes a private domain account. The private domain and the proxy have a trust relationship, but the proxy suppresses the disclosure of the private domain due to a security risk.

  Furthermore, a second robust and secure implementation employs a one-time password (OTP). A registration proxy allows domain subscription operations through a proxy for mobile clients. The join operation is accomplished with minimal security exposure. The enrollment operation is based on the machine identity of the mobile device, not the user credentials (eg username and password), and therefore there is no potential (eg impersonation crime) risk associated with compromising the identity of the user. . The registration proxy only needs the authority to add new machine accounts to the corporate (or corporate) directory, and the proxy is not granted the authority to add user accounts or take ownership of existing accounts. The registration proxy does not use conventional techniques such as delegation, but obtains a signed certificate based on the actual machine account credentials. The registration process employs private root trust between the mobile device and the registration server, rather than requiring or relying on a public trust. Eventually, the client is granted a machine identity in a private domain of a corporate directory (eg, Active Directory by Microsoft) and is signed public credit that allows self-authentication as a domain member associated with that account. A certificate (for example, X.509 of the public key authentication infrastructure standard) is received.

  Several illustrative features for achieving the foregoing related conclusions are described herein in connection with the following description and the accompanying drawings. However, these functions illustrate only a few different ways in which the principles disclosed herein can be used and are intended to include all functions and their equivalents. Other advantages and new features will become apparent from the following detailed description when considered in conjunction with the drawings.

1 illustrates a domain member credential management system implemented in a computer for joining a device to a domain. Fig. 6 illustrates an alternative system for managing domain membership for a domain. Illustrates information persisted in the domain data store for at least bootstrap and authentication purposes. Illustrate domain membership management method. Fig. 6 illustrates a method for surviving data in a data store to assist in establishing trust relationships and authentication. An example of a method for providing authentication information by an apparatus for authenticating a proxy server will be described. The apparatus registration method by authenticating a proxy is illustrated. 2 illustrates a client authentication method for a proxy. 6 illustrates an example of a method for acquiring a credential after authentication of a device and a proxy. An example of how to obtain a credential for domain registration is shown below. FIG. 4 illustrates a block diagram of a computing system operable to provide insecure provisioning and domain subscription emulation. FIG. 4 illustrates a schematic block diagram of an exemplary computing environment that facilitates insecure provisioning and domain subscription emulation.

  The disclosed architecture is generally associated with (e.g., mobile) clients seeking access to (e.g., corporate) private domains and provides a single secure mechanism that solves traditional insecure connectivity and access problems. . The solution consists of a registration proxy that is accessible over the air (OTA) to clients in a public network (eg the Internet) and is based on either user credentials or machine credentials. Facilitates operation and then disconnects itself from the connection. Finally, the client is given membership in the private domain.

  Here, the same reference numbers are used to refer to similar elements from start to finish and reference is made to the drawings. In the following description, for purposes of explanation, numerous specific details are set forth in detail in order to provide a thorough understanding thereof. It may be evident, however, that new embodiments may be implemented without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate their description.

  Referring initially to the drawings, FIG. 1 illustrates a system (100) implemented in a computer for managing domain membership. The system (100) provides a mechanism for allowing a mobile client (102) to join a private domain (104) via a registration proxy server (106). The proxy (106) provides an interface between the public domain (eg, mobile phone) and the private domain (eg, corporate) where the mobile client (102) operates. In this implementation, the domain subscription is based on user credentials in the form of a username and password provided by the user of the mobile client (102). The proxy (106) is given a username and password and substitutes for the client (102) for the domain (104) to join the client (102) to the domain (104).

  In support thereof, the proxy (100) receives the user credentials from the mobile client (102) and communicates the user credentials with the authentication component (110) of the proxy (106). including. The authentication component (110) then performs authentication for the private domain on behalf of the client (102) and generates a machine account in the private domain based on the user credentials. In the following implementation, there is no request to use the One Time Password (OTP) or Single Use Personal Identification Number (PIN) used.

  FIG. 2 illustrates an alternative and more robust system (200) for managing membership for a domain. The following begins with a description of advanced system operations and continues with a detailed description of processes between entities.

  The system (200) facilitates a two-step process for joining a device (202) to a private domain (104) (eg, mobile, portable computer). The first stage relates to creating a trust relationship between the device (202) and the proxy (106), referred to herein as the "basic" trust relationship. The basic trust relationship is itself a two-part process in which the processing device (202) confirms that the proxy (106) is the correct proxy and the proxy (106) Confirm that connection to (104) is allowed. Once established, the basic trust relationship no longer requires a proxy (106). The second stage creates a trust relationship between the device (202) and the private domain (104), referred to herein as the “full” trust relationship. Similarly, once established, a full trust relationship no longer requires a proxy (106).

  The operation of the system (200) is based on another type of credential, such as OTP (or PIN), rather than the user credential used in the system (100) of FIG. For purposes of this description, assume that the user has been provided with an OTP associated with a previous interaction with the private domain (104), and both the user and the private domain share the same credentials. ing. The means by which the user device obtains the OTP can be by any conventional safe or insecure mechanism. If neither the user device nor the domain can provide (or access) the OTP, the domain joining operation ends.

  Usually, the interaction begins with the establishment of a basic trust relationship from the device (202) to the proxy (106). Device (202) checks to ensure that proxy (106) is the correct proxy. This is achieved by a device that sends a request for corporate credit information to the proxy (106). The proxy (106) may also generate a signature signature hash of the credential, which is generated using a key derived from an already defined OTP. By generating the same hash for the device (202) using OTP, the device (202) may verify that the proxy (106) is a “proper” proxy for establishing a basic trust relationship. If the proxy (106) is unable to access this credential server, the proxy (106) is not an “appropriate” proxy for establishing a basic trust relationship and the process ends.

  Once the first basic trust relationship from the device (202) to the proxy (106) is established, the second basic trust relationship then allows the device (202) to join the private domain (104). A proxy (106) is included to check if the device can be done. Once this bi-directional basic trust relationship has been established between the device (202) and the proxy (106), the proxy (106) can replace the device (202) to obtain credentials. Operates and the device then creates an accessible machine account. This includes the use of a domain data store (204) for hosting the machine account (206) and a domain certificate authority (208) for issuing credentials relating to the full trust relationship established.

  Before continuing with a more detailed description of the process, certain information is generated in the domain (104) (eg, in the data store (204)) based on the OTP provided to the user and stored in the domain (104). Will be understood. Hereinafter, the OTP, the encryption key acquired from the OTP, the name related to the machine account (206) of the device, the reference to the owner of the device (202) (for example, the data store account identifier of the owner), the machine account (206) of the device Hash key encoding (eg HMAC hash machine authentication code) digest of target container identifier in data store (204), user identification string (eg, email address of device owner) derived using said encryption key , And machine account (206) information is generated and persisted in the domain. The data store (204) can be a file, database, application partition, and the like. Note that, for example, the digest can be any encrypted species such as a user login ID or the word “anonymous”.

  In general, registration as described above includes establishing a first basic trust relationship by the device (202) that verifies the authenticity of the proxy (106). To accomplish this, the device (202) passes the HMAC digest to the proxy (106) by invoking a web service. This web service uses Secure Sockets Layer (SSL) for channel encryption but does not yet use SSL authentication. The proxy (106) then retrieves the already-stored encryption key from the data store (204) and generates its HMAC digest for the proxy's SSL credential chain trusted root domain credential. Use an encryption key. This HMAC digest is passed to the device (202) along with the corresponding root domain credentials, and the HMAC digest uses the already derived encryption key and verifies that it is correctly calculated by the proxy (106). .

  Once the device (202) determines that the domain credential can be trusted according to the above scheme, the device (202) now uses the SSL server full credential using the encrypted channel and the same Reconnect to proxy (106). The device (202) is reconnected to verify that the server SSL credentials are properly linked (or chained) back to the domain credentials for which the trust has already been determined. The device (202) then submits a credential request (eg, Public Key Cryptography Standard (PKCS) No. 10) with an HMAC digest of the credential request derived using the already calculated encryption key. To do. (The PKCCS # 10 standard credential request is a format for a message that is sent to a certificate authority to request a public key for a credential.) The proxy (106) Verify that it is obtained from a credential request provided using an already derived encryption key, thereby authenticating the device (202).

  The proxy (106) then creates data store information (information (304) in FIG. 3) linked to the HMAC digest to create a new machine account (206) in the data store (204) (eg, Active Directory). Is used. The new machine account (206) is logged in by the authentication component (110) and is used to submit a credential request to the certificate authority (208) during login. The issued credentials are then retrieved and returned to the device (202).

  Summarizing some of the new features, the registration proxy (106) emulates the domain join operation for the device (202). The subscription operation is based on a one-time password and therefore there is no risk of compromising user identification information. Furthermore, the registration proxy (106) only needs a minimum level of access to the domain to add a new machine account to the corporate (or corporate) data store. Furthermore, the registration proxy (106) is not granted the authority to add user accounts or acquire ownership of existing accounts. The basic trust relationship created between the client device (202) and the proxy (106) is finally used to establish a full trust relationship between the device (202) and the private domain (104). ). The machine identification can be stored in a domain data store or directory (eg, Active Directory by Microsoft), and the device (202) can sign itself as a private domain (104) member to authenticate itself A credential (eg X.509) is received.

  In any embodiment, OTP is used in combination with a unique device identifier (ID) that is hardware specific, and the identification information passed to proxy (106) includes both OTP and device ID. This prevents the use of OTP with another mobile device that the user may have or another mobile device that may be used on different devices by different users. In one implementation, based on the initial processing of the OTP, the basic or fully trusted process between the device (202) and the proxy (106) may be elevated to include the device ID, after which the device (202 ) Complete either a favorable or inconvenient credit process.

  FIG. 3 illustrates at least information for bootstrap and authentication purposes that persists in the domain data store (204). The following description is in the context of a mobile device (300) (eg, a mobile phone). However, it will be appreciated that portable computers and other wireless devices such as PDAs and tablet PCs may obtain the benefits of the disclosed domain registration architecture.

  The bootstrap process is based on the user's mobile device with the OTP (302) already acquired. Hereinafter, the information (304) of FIG. 2, OTP (302), an encryption key derived from OTP, (the mobile device (300) is considered a “new” device for the domain, thus the device (300) Device machine account (206) name, reference to owner of mobile device (300) (eg fully qualified domain name (FQDN) of owner's data store account), device machine Reference to target container in data store (204) for account (206) (eg container FQDN), hash key of user identity string (eg device owner email address) derived using the above encryption key (Eg HMAC) digest and machine Und (206), but then, it is generated, and persist in mediating data store (306).

  FIG. 4 illustrates a domain member qualification management method. To simplify the description, one or more methodologies have been illustrated and described herein as a series of operations, for example, in flowchart or flowchart form, and some operations are described herein accordingly. It will be appreciated and appreciated that the methodology is not limited to the order of operations, as some may occur in a different order and / or other actions than those shown and described. For example, those skilled in the art will understand and appreciate that a methodology can alternatively be presented as a series of correlated states or events, such as a state diagram. Moreover, not all illustrated operations may be required for new implementations.

  At (400), credentials for joining the domain (eg, OTP) are received from the mobile device, and the credentials are received by the domain proxy server via the wireless interface. At 402, a trust relationship is established between the mobile device and the proxy server based on the credential. At (404), a machine account is created in the domain for the mobile device via the proxy server based on the trust relationship. At (406), the mobile device is joined to the domain based on the machine account.

  FIG. 5 illustrates a method for persisting data in a data store that supports establishment of a trust relationship and an authentication process. At (500), after the OTP is created and assigned to the user's mobile device according to other procedures or processes, the proxy persists the OTP and encryption key in the data store. At (502), the proxy persists a name for the machine account in the data store. At (504), the proxy maintains a reference to the device (eg, information identifying the user's identity) in the data store. At (506), the proxy persists the FQDN of the target container of the machine account of the device in the data store. At (508), the proxy uses the encryption key described above to keep the hash key code digest of the encrypted species in the data store.

  FIG. 6 illustrates a method for generating authentication information by an apparatus for authenticating a proxy server. At (600), the device initiates access to the private domain via the registration proxy based on the already acquired OTP. At (602), the device prompts the user device for user account information and OTP. In (604), the device generates an encryption key using OTP. At (606), the device generates a hash key code (eg, HMAC) digest of user account information using the encryption key.

  FIG. 7 illustrates a method for registering a device by proxy authentication (for example, a mobile phone). At 700, the proxy authentication device is activated to ensure that the proxy is the intended network entity. At (702), the device uses a general encryption species (eg, user account or other user identification information) to generate a device identification in the form of a hash key code digest. At (704), the device then invokes a web service that employs channel encryption to send a digest to the proxy. A web service may use SSL for an encrypted channel but does not yet use SSL authentication. At (706), the proxy then retrieves the already stored encryption key from the data store. At (708), the proxy generates a hash key code digest (eg, HMAC) of the root credential of the server SSL credential chain. At (710), the proxy sends a root credential and a root credential digest to the device. At (712), the device verifies that the digest was calculated correctly by using the root credentials, using the device encryption key already derived, and recalculating the digest by the proxy. Once verified, the device now trusts its proxy as the intended network entity that the client wishes to communicate with.

  FIG. 8 illustrates a client authentication method for the proxy. Once the device authenticates the proxy, the proxy in turn authenticates the device. At (800), the device verifies that the proxy SSL credentials are properly linked (or chained) back to the domain credentials that have already been determined to be trusted. Reconnect to the proxy using channel encryption (eg SSL) and full server credentials. At (802), the device then submits a credential request along with a hash key encoded digest (eg, HMAC) digest credential request that is derived using an already calculated and stored encryption key. At (804), the proxy verifies that the digest of the credential request is derived from the provided credential request using the already derived encryption key. At (806), the proxy authenticates the device when successfully verified.

  FIG. 9 illustrates an apparatus and a method for acquiring domain credentials after proxy authentication. At (900), the proxy retrieves the data store information linked to the identification information digest. At (902), the proxy uses the data store information to create a new machine account in the data store. At (904), the proxy logs into the new machine account. At (906), the proxy submits the credential request received from the device to the certificate authority. In (908), the certification authority issues a signed domain credential based on the device identification. At (910), the proxy receives and sends the issued domain credentials to the device. The device now has full access to the domain service.

  As intended for the target architecture, a mechanism for obtaining a credential based on a delegated lack of rights to obtain a credential is provided to a device attempting to access a private domain for enterprise services. It provides tremendous benefits.

  The traditional proxy mechanism for obtaining credentials on behalf of a device is that the proxy requests a password from the device, sends the password to the certificate authority, receives a signed certificate from the certificate authority, and then signs Acting on behalf of the device by transferring the certificate to the device.

  A new alternative to the traditional proxy mechanism, which can be considered as “reverse delegation” as described herein, obtains credentials associated with the new machine account, and then at the end of the authentication process: The transfer of account ownership, thereby providing full access to the domain service to the credential recipient, in this case the device.

  FIG. 10 illustrates a method for obtaining a domain registration credential implemented in a computer. (1000), proxy authority is limited to creating new machine accounts. At (1002), the proxy creates an arbitrary machine account for the mobile device in the configuration directory based on provisioning information associated with the OTP. At (1004), the proxy requests credentials from the domain's certificate authority. At (1006), the proxy uses the hash digest of the credential request to verify the credential request calculation. At (1008), the proxy receives a signed client credential from the certificate authority. At (1010), the proxy transfers ownership of the machine account to the mobile device by sending a signed credential to the mobile device. At (1012), the proxy stops accessing the machine account after sending the signed client credentials to the client.

  The terms “component” and “system” as used in this application are intended to refer to any entity, hardware, combination of hardware and software, software, or running software associated with a computer. ing. For example, a component can be, but is not limited to, a process executing on a processor, a processor, a hard disk drive, multiple (optical and / or magnetic storage media) storage devices, an object, an executable thread of execution, a program, and / or a computer. do not do. By way of illustration, both an application running on a server and the server can be a component. One or more components can reside within an execution process and / or thread, and the components can be localized on one computer and / or distributed between two or more computers.

  Referring now to FIG. 11, there is a block diagram of an operable computing system (1100) illustrated to provide insecure provisioning and domain subscription emulation. In order to provide further context regarding its various functions, FIG. 11 and the following discussion are intended to provide a concise and general description of a suitable computing system (1100) in which various functions may be implemented. ing. While the above description is in the general context of instructions that can be executed by a computer that can run on one or more computers, those skilled in the art will recognize that the new embodiments may be implemented in combination with other program modules and It will be appreciated that it may be implemented as a combination of hardware and software.

  Generally, program modules include routines, programs, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Further, those skilled in the art will recognize that the method of the present invention is a single processor or multiprocessor computer system, minicomputer, mainframe computer, and personal computer, portable computing device, microprocessor-based or programmable consumer appliance, and one or more associated It will be appreciated that other computer system configurations may be implemented, including each other that may be operatively connected to the device.

  The illustrated functions may also be practiced in distributed computing environments where certain tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules can be located in both local and remote memory storage devices.

  A computer typically includes a variety of computer-readable media. Computer readable media can be any available media that can be accessed by the computer and includes both volatile and nonvolatile media, removable and non-removable media. By way of example, and not limitation, computer readable media include computer storage media and communication media. Computer storage media includes volatile and non-volatile removable and non-removable media implemented in any method or technique for storage of information such as computer readable instructions, data structures, program modules, or other data. The computer storage medium may be RAM, ROM, EEPROM, flash memory, or other memory technology, CD-ROM, digital video disk (DVD), or other optical disk storage device, magnetic cassette, magnetic tape, magnetic disk storage device, or This includes but is not limited to other magnetic storage devices or any other medium that can be used to store the desired information and that can be accessed by the computer.

  Referring again to FIG. 11, an exemplary computing system (1100) for implementing various functions includes a computer (1102) that includes a processing unit (1104), a system memory (1106). And a system bus (1108). The system bus (1108) provides an interface to system components including, but not limited to, system memory (1106) connected to the processing unit (1104). The processing unit (1104) can be any of a variety of commercially available processors. Dual microprocessors and other multiprocessor architectures may also be used as the processing unit (1104).

  The system bus (1108) further includes several memory buses (with or without a memory controller), peripheral buses, and several buses that can be interconnected with the local bus using any of a variety of commercially available bus architectures. It can be any type of bus structure. The system memory (1106) includes read only memory (ROM) (1110) and random access memory (RAM) (1112). A basic input / output system (BIOS) is non-volatile, such as ROM, EPROM, EEPROM, which contains basic routines that help the BIOS send information between elements within the computer (1102), such as during startup. Stored in memory (1110). The RAM (1112) may also include a high-speed RAM such as static RAM for caching data.

  The computer (1102) further includes an internal hard disk drive (HDD) (1114) (eg, EIDE,) in which the internal hard disk drive (1114) can be configured for external use in a suitable housing (not shown). SATA), magnetic floppy floppy disk drive (FDD) (1116) (e.g. read from or write to removable diskette (1118)) and DVDs read from or written to (e.g. CD-ROM disk (1122)) An optical disk drive (1120) for reading from or writing to another high capacity optical medium such as The hard disk drive (1114), magnetic disk drive (1116), and optical disk drive (1120) are connected to the system bus (1108) by a hard disk drive interface (1124), a magnetic disk drive interface (1126), and an optical drive interface (1128), respectively. ). The external drive implementation interface (1124) includes at least one or both of Universal Serial Bus (USB) and IEEE 1394 interface technologies.

  Drives and their associated computer storage media provide non-volatile storage such as data, data structures, computer-executable instructions. The drives and media for the computer (1102) are adapted for data storage in any suitable digital format. The above description of computer readable media refers to HDDs, removable magnetic diskettes, and removable optical media such as CDs or DVDs, but computers such as ZIP drives, magnetic cassettes, flash memory cards, cartridges, etc. Those skilled in the art will appreciate that other types of readable media may be used in the exemplary operating environment, and that any such media may include computer-executable instructions for implementing the disclosed methods. Will be fully understood.

  Many program modules may be stored in the drive and RAM (1112), including an operating system (1130), one or more application programs (1132), other program modules (1134), and program data (1136). All or part of the operating system, applications, modules, and / or data may also be cached in RAM (1112). It will be appreciated that the disclosed architecture can be implemented using various commercially available operating systems or combinations of operating systems.

  Applications (1132) and / or modules (1134) may include the bootstrap and authentication components (108) and (110) of the proxy server of FIG. If the system (1100) is a client (102), the application (1132) and / or the module (1134) may include the client's processing capabilities to generate, for example, encryption keys and hash key encoding digests. In the context of the domain (104) of FIGS. 1 and 2, the system (1100) may include a certificate authority (208) and / or a data store (204) and a machine account (206).

  A user may enter commands and information into the calculator (1102) via one or more wired / wireless input devices, such as a keyboard (1138) and a pointing device, such as a mouse (1140). Other input devices (not shown) may include a microphone, infrared remote control, joystick, game pad, stylus pen, touch screen, and the like. These and other input devices are often connected to the processing unit (1104) via the input device interface (1142) connected to the system bus (1108), but are connected to a parallel port, IEEE 1394 serial. It can be connected by another interface such as a port, game port, USB port, infrared interface, etc.

  A monitor (1144) or another type of display device is also connected to the system bus (1108) via an interface, such as a video adapter (1146). Computers typically include a monitor (1144) and other peripheral output devices (not shown) such as speakers and printers.

  Computer (1102) may operate in a network environment using logical connections via wired and / or wireless communication with one or more remote computers, such as remote computer (s) (1148). The remote computer (s) (1148) can be a workstation, server computer, router, personal computer, portable computer, microprocessor-based entertainment device, peer device, or another common network node, typically , Which includes the majority or all of the previously described elements associated with computer (1102), but for simplicity only memory / storage (1150) is illustrated. The logical connections shown include a wired / wireless connection with a local area network (LAN) (1152) and / or a larger network, such as a wide area network (WAN) (1154). Such LAN and WAN network environments are common in offices and businesses and facilitate enterprise-wide computer networks such as intranets, all of which can be connected to a global communications network, such as the Internet.

  When used in a LAN networking environment, the computer (1102) is connected to the local network (1152) via a wired and / or wireless communication network interface or adapter (1156). The adapter (1156) may facilitate wired or wireless communication with the LAN (1152), which may also include a wireless access point disposed thereon, to communicate with the wireless adapter (1156).

  When used in a WAN network environment, the computer (1102) may include a modem (1158) or connected to a communication server on the WAN (1154) and communicate via the WAN (1154) in a manner like the Internet. Have another means to establish A modem (1158), which may be a built-in or external, wired or wireless device, is connected to the system bus (1108) via a serial port interface (1142). In a networked environment, program modules displayed in association with the computer (1102) or a portion thereof may be stored in the remote memory / storage (1150). It will be appreciated that the network connections shown are exemplary and other means for establishing a communications link between the computers can be used.

  A computer (1102) can be any wireless device or entity that is operatively arranged using wireless communication, such as a printer, scanner, desktop, and / or portable computer, portable data assistant, communications satellite, any Operately communicate with equipment parts or locations (eg, kiosks, newspaper shops, toilets) and telephones associated with wirelessly detectable tags. This includes at least wireless (Wi-Fi) and Bluetooth® wireless technologies. Thus, the communication can be a predetermined structure such as using a conventional network or simple ad hoc communication between at least two devices.

  Wireless or wireless feasibility allows connection to the Internet wirelessly from a chaise longue at home, a bed in a hotel room, or a meeting room at work. Wireless is a wireless technology that allows such devices, such as computers, to transmit and receive data that is indoors and outdoors anywhere within the range of a base station similar to that used in mobile phones. Wireless networks use a wireless communication technology called IEEE 802.11x (a, b, g, etc.) to provide secure and reliable high-speed wireless connectivity. The wireless network can be used to connect computers to each other with the Internet and wired networks (using IEEE 802.3 or Ethernet).

  Referring now to FIG. 12, a schematic block diagram of an exemplary computing environment (1200) and domain subscription emulation that facilitates insecure provisioning is illustrated. The system (1200) includes one or more clients (1202). Client (1202) may be hardware and / or software (eg, threads, processes, computing devices). The client (1202) stores, for example, cookie (s) and / or associated context information.

  The system (1200) also includes one or more servers (1204). Server (1204) may also be hardware and / or software (eg, threads, processes, computing devices). Server (1204) uses this architecture to store threads for performing transformations, for example. One possible communication between a client (1202) and a server (1204) may be in the form of a data packet adapted to be transmitted between two or more computer processes. The data packet may include, for example, a cookie and / or associated context information. The system (1200) includes a communication framework (1206) that can be used to facilitate communication between a client (1202) and a server (1204) (eg, a global communication network such as the Internet).

  Communication can be facilitated via wired technology (including optical fiber) and / or wireless technology. The client (1202) operates with one or more client data stores (1208) that may be used to store local information (eg, cookie (s) and / or associated contextual information) on the client (1202). Connected as possible. Similarly, server (1204) is operatively connected to one or more server data stores (1210) that may be used to store local information on server (1204).

  Both clients (1202) of FIG. 1 may include a client (102) seeking access to a proxy server (106). Both the data store (204) and certificate authority (208) of FIG. 2 can be servers (1204) and can also be enterprise back-end servers.

  What has been described above includes examples of the disclosed architecture. Of course, it is not possible to describe every possible combination of components and / or methodologies, but those skilled in the art will recognize that there can be many more combinations and substitutions. Accordingly, the new architecture is intended to embrace all such alterations, modifications and variations that fall within the spirit and scope of the appended claims. Further, as used in the detailed description or in the claims, the term “comprising” is to be interpreted as “consisting of” when used as a transitional word in a claim. The terminology is intended to be as inclusive as the term “consisting of”.

100 Domain Member Credential Management System 102 Mobile Client 104 Private Domain 106 Registration Proxy Server 108 Bootstrap Component 110 Authentication Component 200 Domain Member Credential Management System 202 Device 204 Domain Data Store 206 Machine Account 208 Domain Certificate Authority 300 Mobile Device 302 One Time Password ( OTP)
304 Information 306 Mediation Data Store 1100 Computing System 1102 Computer 1104 Processing Unit 1106 System Memory 1108 System Bus 1110 Read Only Memory (ROM)
1112 Random access memory (RAM)
1114 Internal hard disk drive (HDD)
1116 Magnetic floppy disk drive (FDD)
1118 Removable diskette 1120 Optical disk drive 1122 CD-ROM disk 1124 Hard disk drive interface 1126 Magnetic disk drive interface 1128 Optical drive interface 1130 Operating system 1132 Application program 1134 Other program modules 1136 Program data 1138 Keyboard 1140 Mouse 1142 Input device interface 1144 Monitor 1146 Video adapter 1148 Remote computer 1150 Memory / storage device 1152 Local area network (LAN)
1154 Wide area network (WAN)
1156 wireless communication network interface or adapter 1158 modem 1200 computing environment 1202 client 1204 server 1206 communication framework 1208 client data store 1210 server data store

Claims (20)

A system (100) implemented in a computer for managing domain membership,
A domain proxy bootstrap component (108) for receiving user credentials from mobile clients seeking access to the domain;
An authentication component (110) of the proxy for authenticating the mobile client to the domain based on the user credentials.   The system of claim 1, wherein the user credentials include at least one of a user name or a password.   The system of claim 1, wherein the authentication component generates a machine account for the mobile client based on the user credentials.   The system of claim 1, wherein the mobile client is a mobile phone that communicates the user credentials over an insecure wireless interface. A domain member credential management method implemented in a computer,
Receiving from a mobile device a credential for joining a domain, wherein the credential is received by a proxy server of the domain via a wireless interface (400);
Establishing a trust relationship between the mobile device and the proxy server based on the credentials (402);
Generating a machine account for the mobile device in the domain based on the trust relationship via the proxy server (404);
Joining the mobile device to the domain based on the machine account (406).   6. The method of claim 5, wherein the credential includes at least one of a user name and a one-time password (OTP) or a device ID.   6. The method of claim 5, further comprising receiving a hash key encoding digest of a generic encryption species from the mobile device via a web service.   8. The method of claim 7, further comprising receiving the hash key code digest from the web service using channel encryption.   6. The method of claim 5, further comprising generating a hash key encoded digest of a domain credential at the proxy server based on an encryption key.   Further, transmitting the hash key code digest and the root credential to the mobile device for verification by the mobile device; and establishing the trust relationship based on a successful verification by the mobile device; The method of claim 5 comprising:   6. The method of claim 5, further comprising enabling the mobile client to reconnect to the proxy server using server full credentials with channel encryption for a verification process.   6. The method of claim 5, further comprising verifying that the proxy server credentials are linked back to the domain credentials associated with the full trust relationship.   6. The method of claim 5, further comprising storing a signed domain credential on the mobile device as part of a registration process.   6. The method of claim 5, further comprising: logging into the machine account on behalf of the mobile client; and submitting a credential request to the domain certification authority for a signed certificate.   15. The method of claim 14, wherein the signed credential is returned to the mobile client.   In addition, using the OTP, an encryption key derived from the OTP, a name for the new machine account, a reference to the owner of the client, the fully qualified domain name of the target container for the new machine account, or the encryption key 6. The method of claim 5, comprising storing at least one of the derived general encryption species hash machine authentication code (HMAC) digest in a domain data store.   6. The method of claim 5, further comprising the step of disabling the proxy server support for the mobile client after the subscription operation.   6. The method of claim 5, wherein the trust relationship is a private trust relationship.   6. The method of claim 5, further comprising enrolling the mobile device in the domain that is a private domain based on machine identity credentials rather than user credentials. Means (108) implemented in a computer to receive a credential for joining a domain from a mobile device, wherein the credential is received by a proxy server of the domain over a wireless interface When,
Means (110) implemented in a computer for establishing a trust relationship between the mobile device and the proxy server based on the credentials;
Means (106) implemented in a computer for generating a machine account for the mobile device in the domain based on the trust relationship via the proxy server;
Means implemented in a computer for joining the mobile device to the domain based on the machine account (106).

Images